Overview

overview

10

Static

static

f247ae6db5...in.exe

windows7_x64

10

f247ae6db5...in.exe

windows10_x64

10

Resubmissions

08-06-2024 15:19

240608-sqmvesch2s 10

06-11-2020 15:33

201106-nz68d98cw2 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin

  • Size

    212KB

  • Sample

    201106-nz68d98cw2

  • MD5

    723825ad69a5d55a1e5ed3d1ee831f0d

  • SHA1

    7e082df63c3de0f8bf9d38edf72ba5268078275a

  • SHA256

    f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb

  • SHA512

    dbd1fd80c8e1224c79ecea419919df3590186c95bfd2f606d6573d759374bc54db8331478207e3b543114431c2ed8eede83b7eca74d4313e7dee16bd527c2c78

Score
10/10
persistenceransomware

Malware Config

Extracted

Path

C:\RECOVERY DATA INFORMATION.TXT

Ransom Note
Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address [email protected] In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Also from your servers files, documents, databases SQL, PDF were uploaded to our cloud storage After we agree, you will receive a decryption program, as well as all your files on our server will be deleted. Otherwise, they will fall into the open access of the Internet! Before payment you can send us 1-2 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 3 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Please be sure that we will find common languge. We will restore all the data. Email to contact us - [email protected] Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. Your personal ID: 342-09B-CF1

Extracted

Path

C:\RECOVERY DATA INFORMATION.TXT

Ransom Note
Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address [email protected] In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Also from your servers files, documents, databases SQL, PDF were uploaded to our cloud storage After we agree, you will receive a decryption program, as well as all your files on our server will be deleted. Otherwise, they will fall into the open access of the Internet! Before payment you can send us 1-2 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 3 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Please be sure that we will find common languge. We will restore all the data. Email to contact us - [email protected] Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. Your personal ID: 2A3-294-AF4

Targets

    • Target

      f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin

    • Size

      212KB

    • MD5

      723825ad69a5d55a1e5ed3d1ee831f0d

    • SHA1

      7e082df63c3de0f8bf9d38edf72ba5268078275a

    • SHA256

      f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb

    • SHA512

      dbd1fd80c8e1224c79ecea419919df3590186c95bfd2f606d6573d759374bc54db8331478207e3b543114431c2ed8eede83b7eca74d4313e7dee16bd527c2c78

    Score
    10/10
    persistenceransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies service

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks